If you are a HIPAA shop then I'm sure your IT team is paying proper attention to this.

Hah! I AM the IT team. (I have a couple of part-time assistants who do help desk and maintenance, but I'm the CIO/SysAdmin/DBA/Systems Analyst/Code Monkey/chief cook and bottle washer.

We have an internal "cloud"; we don't use any form of commercial cloud storage for documents, or for any sensitive data (unless you count email as such; and sensitive data sent by email is password-encrypted in zip file attachments using 7-Zip). We do not host public-facing websites or email servers.

I have a consultant that I use for extremely technical purposes. I've requested their opinion on the issues.

I have a lot of stuff to research on my own, though, as I don't accept anybody's opinion without evaluating it for myself to the best of my ability.

My primary concern is what happens to the performance of VMWare when they issue a patch for this, and what happens to the performance of various vintages of MS Server that have been virtualized after I apply patches to them.

Ken